PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen...

air-sash · 26.02.2010, 13:20

Hallo zusammen,

die Apokalypse meines PCs begann heute morgen, nach dem Besuch einer gegoogelten Website -> inhaltloses Pop-Up öffnete sich! Seitdem: Bei Neustart automatische Deaktivierung der Windows-Firewall, Firefox läuft nicht mehr (schreibe vom Internet Explorer), AntiVir meldete u.a. tr/dropper.gen.

Hier der aktuelle Hijack-Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:39, on 26.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Seagate\SeagateManager\Sync\MaxSync.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\SPMSMON.EXE
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Cherry\KeyMan\KeyMan.exe
C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programme\SlySoft\CloneCD\CloneCDTray.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Cherry\CDI\cdi.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\agfguard.exe
C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programme\iPod\bin\iPodService.exe
c:\programme\avira\antivir desktop\avcenter.exe
C:\Programme\Avira\AntiVir Desktop\avscan.exe
C:\Programme\GIMP-2.0\bin\gimp-2.6.exe
C:\Programme\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programme\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ISDN Guard.lnk = C:\WINDOWS\agfguard.exe
O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cherry Device Interface - Cherry, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Hardware management services (svchost) - Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu - C:\WINDOWS\system\svchost.exe

--
End of file - 10755 bytes

Ich bin User und habe keine große Ahnung von Betriebssystemen, etc..
Mich würde hauptsächlich interessieren:

Welche Informationen gibt die Hijack Logfile?
Muss ich das System neu aufsetzen? (Kann ich nicht selber, würde ein Freund für mich machen - aber erst in einer Woche.)
Kann ich bis dahin "halbwegs sicher" arbeiten - Online-Banking, etc?

Vielen Dank für Eure Antworten!

Viele Grüße

Sascha

Chris4You · 26.02.2010, 19:29

Hi,

lass die Finger von Onlinebanking...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen!

(nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\WINDOWS\system\svchost.exe

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Fullscan und alles bereinigen lassen! Log posten. Mal sehen was MAM dazu sagt...

Gmer:
http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html
Den Downloadlink findest Du links oben (http://www.gmer.net/#files), dort dann
auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken).
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein.

chris
Für mich:
C:\WINDOWS\system\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O23 - Service: Hardware management services (svchost) - Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu - C:\WINDOWS\system\svchost.exe

air-sash · 27.02.2010, 09:31

Hier das Ergebnis nach der Anleitung oben:

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.02.27 -
AhnLab-V3 5.0.0.2 2010.02.26 -
AntiVir 8.2.1.176 2010.02.26 -
Antiy-AVL 2.0.3.7 2010.02.26 -
Authentium 5.2.0.5 2010.02.27 -
Avast 4.8.1351.0 2010.02.27 -
Avast5 5.0.332.0 2010.02.26 -
AVG 9.0.0.730 2010.02.26 -
BitDefender 7.2 2010.02.27 -
CAT-QuickHeal 10.00 2010.02.27 Win32.PE.Packed.Win32.Krap.af.4
ClamAV 0.96.0.0-git 2010.02.27 -
Comodo 4080 2010.02.27 Heur.Suspicious
DrWeb 5.0.1.12222 2010.02.27 -
eSafe 7.0.17.0 2010.02.25 -
eTrust-Vet 35.2.7331 2010.02.26 -
F-Prot 4.5.1.85 2010.02.26 -
F-Secure 9.0.15370.0 2010.02.27 -
Fortinet 4.0.14.0 2010.02.26 -
GData 19 2010.02.27 -
Ikarus T3.1.1.80.0 2010.02.27 -
Jiangmin 13.0.900 2010.02.27 -
K7AntiVirus 7.10.984 2010.02.26 -
Kaspersky 7.0.0.125 2010.02.27 Trojan.Win32.Swisyn.ywu
McAfee 5904 2010.02.26 -
McAfee+Artemis 5904 2010.02.26 -
McAfee-GW-Edition 6.8.5 2010.02.27 -
Microsoft 1.5502 2010.02.27 -
NOD32 4899 2010.02.26 -
Norman 6.04.08 2010.02.27 -
nProtect 2009.1.8.0 2010.02.27 -
Panda 10.0.2.2 2010.02.26 Suspicious file
PCTools 7.0.3.5 2010.02.27 -
Prevx 3.0 2010.02.27 -
Rising 22.36.05.04 2010.02.27 -
Sophos 4.50.0 2010.02.27 -
Sunbelt 5702 2010.02.27 Trojan.Win32.Generic!SB.0
Symantec 20091.2.0.41 2010.02.27 Suspicious.Insight
TheHacker 6.5.1.6.213 2010.02.27 -
TrendMicro 9.120.0.1004 2010.02.27 -
VBA32 3.12.12.2 2010.02.26 -
ViRobot 2010.2.27.2205 2010.02.27 -
VirusBuster 5.0.27.0 2010.02.26 -
weitere Informationen
File size: 40960 bytes
MD5...: 448b2533193e7d2581c84fd2f235b479
SHA1..: a87b6ae2f8620d82dfd463047c355c9efd8df020
SHA256: 2829bae4c51390be4d494ca53f3a1a8db3602a0eb1b532c90d61e97c65e4dbc7
ssdeep: 768:RiA+kO3n+dH1UVu9GffaNCzWWJ/XpkdImrbVzwSfVUdgblXA:R+QHS+bNvWJ
/ZwImrb3NblXA

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x3329b400 (Fri Mar 14 20:24:32 1997)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x34ba 0x3600 5.42 b3e22ffd1aa472bc44706cec1cf4000d
.rdata 0x5000 0x5f1 0x600 4.49 f8467c3602b24b18428fbfd2dbecfed2
.data 0x6000 0x24000 0x5c00 6.31 63076797eb3ef543c44bb83dc716dcda
.rsrc 0x2a000 0x3fc 0x400 3.50 b941e81ad16e764cc1c743d241071a2f

( 2 imports )
> KERNEL32.dll: GetCommandLineA, CreateMutexW, CancelWaitableTimer, VirtualAlloc, GetCalendarInfoA, GetFileAttributesExW, TerminateThread, GetNumberFormatA, GetAtomNameW, DeleteFileA, ConvertDefaultLocale, CompareFileTime, CreateThread, LoadLibraryW, GetCommandLineA, Beep, FatalAppExitW
> USER32.dll: GetSysColorBrush, GetDlgItem, TranslateMessageEx, SendMessageA, DialogBoxParamW, MessageBoxA, IsCharLowerA, DispatchMessageW, GetFocus, GetDlgItemTextW, LoadCursorA, LoadCursorW, ShowWindow, EndDialog, GetClientRect, LoadStringA, GetParent, SendDlgItemMessageA, wsprintfA, CharNextW, wsprintfW, SetWindowLongA, InvalidateRect, SetWindowPos, GetWindowRect, GetDesktopWindow, SetWindowTextA, GetSystemMetrics, ReleaseDC, CreateWindowExW, KillTimer, SetDlgItemInt, PostQuitMessage, SetTimer, DispatchMessageA, EnableWindow, CharNextA, SendMessageW, LoadCursorA, SendDlgItemMessageW, SetWindowLongW

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ 4.x (90.7%)
Win32 Dynamic Link Library (generic) (5.1%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
sigcheck:
publisher....: Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu
copyright....: Nusmuyrpwpnumtvlywvthgnlpwvyos Qsvxqtwybdgilprlzilnbegpsu
product......: Gnlsfeidbigqmtsrgelj Wuqexvatgnrpwgeljqps
description..: Fmmvxyruwzzypqsvyqtvy
original name: n/a
internal name: n/a
file version.: 8.6.9.6
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

---------------------------------------------------------

Vielen Dank soweit.
Ich habe gestern mal AntiVir im kompletten Systemcheck über den Rechner laufen lassen. Ergebnis 57 Funde, davon allerdings 90% Funde aus einem alten Backup-Dateien-Ordnder. Nach der "Reparatur" mit AntiVir bleibt nun die Firewall an, aber Firefox geht immer noch nicht!

Vielen Dank für Eure weitere Hilfe!

Viele Grüße

Sascha

Chris4You · 27.02.2010, 11:23

Hi,

bitte MAM laufen lassen und das Log posten, GMER und danach ein neues HJ-Log... (siehe post von mir...)

Du hast mit hoher Wahrscheinlichkeit einen noch unbekannten Trojaner/Backdoor auf dem Rechner, den lt. Virustotal auch AntiVir nicht findet. Falls MAM ihn nicht beseitigt machen wir das per Hand...

chris

air-sash · 27.02.2010, 20:24

Hier der MAM-Log als Zwischenbericht. Ich mache dann wie beschrieben mit GMER weiter...

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3799
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

27.02.2010 20:20:19
mbam-log-2010-02-27 (20-20-19).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|I:\|)
Durchsuchte Objekte: 344333
Laufzeit: 6 hour(s), 18 minute(s), 24 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 13
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 1
Infizierte Dateien: 3

Infizierte Speicherprozesse:
C:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Delete on reboot.

-----------------------------

Vielen Dank und viele Grüße,

Sascha

air-sash · 28.02.2010, 14:01

So, ich habe jetzt seit gestern ca. 5x GMER laufen lassen. Der Scan läuft normal an und arbeitet minuten bzw. stundenlang und stürzt dann jedesmal vor Scanende ab. Der PC startet neu und XP spricht von einem "schwerwiegenden Fehler", der zum Neustart geführt hat. Was ist da los?

Firefox funktioniert übrigens mittlerweile wieder.
Hier die aktuelle Hikjack-Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:54:48, on 28.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Seagate\SeagateManager\Sync\MaxSync.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\SPMSMON.EXE
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Cherry\KeyMan\KeyMan.exe
C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Programme\Cherry\CDI\cdi.exe
C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programme\SlySoft\CloneCD\CloneCDTray.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\agfguard.exe
C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programme\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ISDN Guard.lnk = C:\WINDOWS\agfguard.exe
O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cherry Device Interface - Cherry, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10186 bytes

-----------------------------

Wie soll es nun weitergehen?

Vielen Dank für Deine Antwort!

Viele Grüße

Sascha

Chris4You · 01.03.2010, 07:55

Hi,

da war ein Backdoor drauf, daher alle Passwörter ändern und eigentlich ist jetzt Neuaufsetzen angesagt da nicht nachvollzogen werden kann, was sonst noch alles geändert wurde...

Statt GMER:

TDSS-Killer
Download und Anweisung unter: http://www.trojaner-board.de/82358-tdsskiller-google-umleitungen-tdss-tdl3-alureon-rootkit-entfernen.html#post640150
Entpacke alle Dateien!

Start.bat erstellen:
Start->alle Programme->Zubehör->Editor und kopiere folgenden Text rein:

Code:

ATTFilter

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0

Speichern als: start.bat

abspeichern unter : Dateityp: alle Dateien

speichere die Datei im Ordner wo auch TDSSKiller.exe steht

Doppelklick start.bat

TDSSKiller.exe wird gestartet und ein Log erzeugen(report.txt).
Wenn TDSSKiller fertig ist poste den Inhalt der report.txt.

chris

air-sash · 01.03.2010, 09:40

TDSS-Killer:

09:32:29:156 0560 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
09:32:29:171 0560 ================================================================================
09:32:29:171 0560 SystemInfo:

09:32:29:171 0560 OS Version: 5.1.2600 ServicePack: 3.0
09:32:29:171 0560 Product type: Workstation
09:32:29:171 0560 ComputerName: AIR-TOWER
09:32:29:171 0560 UserName: air-sash
09:32:29:171 0560 Windows directory: C:\WINDOWS
09:32:29:171 0560 Processor architecture: Intel x86
09:32:29:171 0560 Number of processors: 1
09:32:29:171 0560 Page size: 0x1000
09:32:29:171 0560 Boot type: Normal boot
09:32:29:171 0560 ================================================================================
09:32:29:187 0560 UnloadDriverW: NtUnloadDriver error 2
09:32:29:187 0560 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:32:29:203 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
09:32:29:296 0560 UtilityInit: KLMD drop and load success
09:32:29:296 0560 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
09:32:29:296 0560 UtilityInit: KLMD open success
09:32:29:296 0560 UtilityInit: Initialize success
09:32:29:296 0560
09:32:29:296 0560 Scanning Services ...
09:32:29:296 0560 CreateRegParser: Registry parser init started
09:32:29:296 0560 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
09:32:29:296 0560 CreateRegParser: DisableWow64Redirection error
09:32:29:296 0560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:32:29:296 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
09:32:29:296 0560 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:32:29:296 0560 wfopen_ex: Trying to KLMD file open
09:32:29:296 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
09:32:29:296 0560 wfopen_ex: File opened ok (Flags 2)
09:32:29:296 0560 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3848C0
09:32:29:296 0560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:32:29:296 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
09:32:29:296 0560 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:32:29:296 0560 wfopen_ex: Trying to KLMD file open
09:32:29:296 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
09:32:29:296 0560 wfopen_ex: File opened ok (Flags 2)
09:32:29:296 0560 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384968
09:32:29:296 0560 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
09:32:29:296 0560 CreateRegParser: EnableWow64Redirection error
09:32:29:296 0560 CreateRegParser: RegParser init completed
09:32:29:765 0560 GetAdvancedServicesInfo: Raw services enum returned 307 services
09:32:29:765 0560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:32:29:765 0560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:32:29:765 0560
09:32:29:765 0560 Scanning Kernel memory ...
09:32:29:765 0560 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
09:32:29:765 0560 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82F58A08
09:32:29:765 0560 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
09:32:29:765 0560
09:32:29:765 0560 DetectCureTDL3: DEVICE_OBJECT: 82B83C68
09:32:29:765 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B83C68
09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0x82B83C68[0x38]
09:32:29:765 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08
09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8]
09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18]
09:32:29:765 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:32:29:765 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0
09:32:29:765 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0
09:32:29:765 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F
09:32:29:765 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F
09:32:29:765 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2
09:32:29:765 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB
09:32:29:765 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28
09:32:29:765 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2
09:32:29:765 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82
09:32:29:765 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:765 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:765 0560 TDL3_FileDetect: Processing driver: Disk
09:32:29:765 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:765 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:796 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:32:29:796 0560
09:32:29:796 0560 DetectCureTDL3: DEVICE_OBJECT: 82E71AB8
09:32:29:796 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82E71AB8
09:32:29:796 0560 DetectCureTDL3: DEVICE_OBJECT: 82EC0D70
09:32:29:796 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82EC0D70
09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0x82EC0D70[0x38]
09:32:29:796 0560 DetectCureTDL3: DRIVER_OBJECT: 82ED4A58
09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0x82ED4A58[0xA8]
09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15E9260[0x1E]
09:32:29:796 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
09:32:29:796 0560 DetectCureTDL3: IrpHandler (0) addr: F8A2A218
09:32:29:796 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (2) addr: F8A2A218
09:32:29:796 0560 DetectCureTDL3: IrpHandler (3) addr: F8A2A23C
09:32:29:796 0560 DetectCureTDL3: IrpHandler (4) addr: F8A2A23C
09:32:29:796 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (14) addr: F8A2A180
09:32:29:796 0560 DetectCureTDL3: IrpHandler (15) addr: F8A259E6
09:32:29:796 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (22) addr: F8A295F0
09:32:29:796 0560 DetectCureTDL3: IrpHandler (23) addr: F8A27A6E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:796 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0xF8A26F26[0x400]
09:32:29:796 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
09:32:29:796 0560 TDL3_FileDetect: Processing driver: USBSTOR
09:32:29:796 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:32:29:796 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:32:29:812 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
09:32:29:812 0560
09:32:29:812 0560 DetectCureTDL3: DEVICE_OBJECT: 82F759F0
09:32:29:812 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F759F0
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F759F0[0x38]
09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8]
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18]
09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:32:29:812 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0
09:32:29:812 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0
09:32:29:812 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F
09:32:29:812 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F
09:32:29:812 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2
09:32:29:812 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB
09:32:29:812 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28
09:32:29:812 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2
09:32:29:812 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82
09:32:29:812 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:812 0560 TDL3_FileDetect: Processing driver: Disk
09:32:29:812 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:812 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:812 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:32:29:812 0560
09:32:29:812 0560 DetectCureTDL3: DEVICE_OBJECT: 82F55C68
09:32:29:812 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F55C68
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F55C68[0x38]
09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8]
09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18]
09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:32:29:812 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0
09:32:29:812 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0
09:32:29:812 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F
09:32:29:812 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F
09:32:29:812 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2
09:32:29:812 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB
09:32:29:812 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28
09:32:29:812 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2
09:32:29:812 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:812 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82
09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:828 0560 TDL3_FileDetect: Processing driver: Disk
09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:828 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:32:29:828 0560
09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F9CC68
09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F9CC68
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F9CC68[0x38]
09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8]
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18]
09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:32:29:828 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0
09:32:29:828 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0
09:32:29:828 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F
09:32:29:828 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F
09:32:29:828 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2
09:32:29:828 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB
09:32:29:828 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28
09:32:29:828 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2
09:32:29:828 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82
09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:828 0560 TDL3_FileDetect: Processing driver: Disk
09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:32:29:828 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:32:29:828 0560
09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F9DAB8
09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F9DAB8
09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82FCD9E8
09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCD9E8
09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F7DD98
09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F7DD98
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F7DD98[0x38]
09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT: 82FA0C28
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82FA0C28[0xA8]
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15FE368[0x1A]
09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
09:32:29:828 0560 DetectCureTDL3: IrpHandler (0) addr: F86E76F2
09:32:29:828 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (2) addr: F86E76F2
09:32:29:828 0560 DetectCureTDL3: IrpHandler (3) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (4) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (14) addr: F86E7712
09:32:29:828 0560 DetectCureTDL3: IrpHandler (15) addr: F86E3852
09:32:29:828 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F86E773C
09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F86EE336
09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xF86E4864[0x400]
09:32:29:828 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
09:32:29:828 0560 TDL3_FileDetect: Processing driver: atapi
09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
09:32:29:843 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
09:32:29:843 0560
09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82F65AB8
09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F65AB8
09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82FCEF18
09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCEF18
09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82F59D98
09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F59D98
09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F59D98[0x38]
09:32:29:843 0560 DetectCureTDL3: DRIVER_OBJECT: 82FA0C28
09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0x82FA0C28[0xA8]
09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15FE368[0x1A]
09:32:29:843 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
09:32:29:843 0560 DetectCureTDL3: IrpHandler (0) addr: F86E76F2
09:32:29:843 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (2) addr: F86E76F2
09:32:29:843 0560 DetectCureTDL3: IrpHandler (3) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (4) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (14) addr: F86E7712
09:32:29:843 0560 DetectCureTDL3: IrpHandler (15) addr: F86E3852
09:32:29:843 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E
09:32:29:843 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E
09:32:29:859 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E
09:32:29:859 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E
09:32:29:859 0560 DetectCureTDL3: IrpHandler (22) addr: F86E773C
09:32:29:859 0560 DetectCureTDL3: IrpHandler (23) addr: F86EE336
09:32:29:859 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E
09:32:29:859 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E
09:32:29:859 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E
09:32:29:859 0560 KLMD_ReadMem: Trying to ReadMemory 0xF86E4864[0x400]
09:32:29:859 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
09:32:29:859 0560 TDL3_FileDetect: Processing driver: atapi
09:32:29:859 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
09:32:29:859 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
09:32:29:859 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
09:32:29:859 0560
09:32:29:859 0560 Completed
09:32:29:859 0560
09:32:29:859 0560 Results:
09:32:29:859 0560 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:32:29:859 0560 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:32:29:859 0560 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:32:29:859 0560
09:32:29:859 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
09:32:29:859 0560 UtilityDeinit: KLMD(ARK) unloaded successfully

----------------------------------------------------

Vielen Dank für die schnelle und kompetente Hilfe, Chris!

Werde Neuaufsetzen, wenn mein Kumpel aus dem Urlaub wieder da ist.
Muss ich bis dahin oder überhaupt noch etwas beachten?

Mich würde auch interessieren, wie der Trojaner gekommen sein könnte. Ich halte AntiVir immer aktuell und bin recht vorsichtig - habe allerdings einen Verdacht: Für ein online E-Learning musste ich meinen Pop-Up-Blockierer (Firefox) ausstellen. Könnte das der Grund der Infizierung gewesen sein?

Nochmal Danke und viele Grüße,

Sascha

Chris4You · 01.03.2010, 13:19

Hi,

wie der Trojaner drauf gekommen ist, kann ich dir nicht sagen, die meisten Sachen werden vom User runtergeladen, manches auch per Drive-by-download...

Sicherheitsrelevante Sachen würde ich nicht mehr auf dem Rechner machen (z.B. Homebanking)...

chris

PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen...

Log-Analyse und Auswertung: PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen...